ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Lieutenant Commander
Lieutenant Commander

How can we get report if there is any change in ArcSight?

Hello Everyone,

Just need one help, I want to pull report from ArcSight if there is any change in Configuration or user creation or deletion  need your help how can i get that report or logs.



2 Replies
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

hello @91583177557450 


You can enable extended audit settings in the ArcSight file and specify the resources that are included by using the option. 


(The manager must be restarted for the changes to take effect)

This will then generate ArcSight audit events for the resources specified. These events can then be used in rules, reports dashboards etc....

For example, to audit all changes to rules you would specify

resource.audit.update.uris=/All Rules

or to audit changes to a specific folder of rules

resource.audit.update.uris=/All Rules/foo/bar

You can do this for any type of resource and then look for the audit events associated with it. Here are a few more examples... notice that multiple resource URIs are comma separated.

resource.audit.update.uris=/All Rules,/All Users/Administrators,/All Active Lists/foo/bar

This would audit all Rule resource changes, all changes to user resources in the Administrators folder and all changes to active lists in the subfolder of foo/bar

For example, the audit event that is generated from including /All Rules would generate an audit event when a rule resource is updated (configuration changed)

deviceProduct = ArcSight

sourceUserId = 45mid0ndjndmj83== (the Arcsight ID of the user)

destinationUserName = username

deviceEventClassId = resource:101

deviceCustomString2 = the resource URI that was edited.

There are a lot more fields that are populated on the event but hopefully this gives you enough information to go and explore those events and build some useful content / reports!

Let me know if you have any issues!

You can find additional audit settings for specific resources in the file. This is usually located in $ARCSIGHT_HOME/manager/config/



Lieutenant Commander
Lieutenant Commander

Thanks a lot for sharing, let me try this and I will share my experience and issues if any

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.